topic Re: Some LDAP Users cannot login in Alfresco Forum

Some LDAP Users cannot login

t_schoeberl — Mon, 07 Aug 2017 08:35:54 GMT

Hello,I am currently working with Alfresco Community 5.2f and I have a problem with our LDAP authentication configuration. Mostly everyday there is an user who cannot login and nothing is in the logfile. The user is not locked in AD, because he can login in other applications and the other users can

Re: Some LDAP Users cannot login

afaust — Mon, 07 Aug 2017 09:37:45 GMT

If there is currently nothing in the log file then it is a bit difficult to guess what might be the cause, especially since other users can login. I recommend adjusting the log levels to get more information.Though Alfresco can be annoyingly reserved when it comes to logging, there might be some info to be gained. The following logger(s) should be set to DEBUG:

org.alfresco.repo.security.sync.ldap.LDAPUserRegistry
org.springframework.extensions.webscripts.DeclarativeWebScript

Since these loggers can create quite a lot of output it is recommended to only have them active when reproducing this issue with an end user. Normally, Alfresco Community Edition does not support dynamic changes to Log4J configuration, but you could use the OOTBee Support Tools addon which adds this capability to the Repository Administration Console / Share Admin Tools.

The DeclarativeWebScript is the generic class for all web scripts - setting its logger is meant to have Alfresco log out the error message for the authentication via the Share login form. The LDAPUserRegistry is used in parts of the authentication exchange when the user DN needs to be resolved from a simplified user name (in your case, matching the user name input against the CN of users).

Re: Some LDAP Users cannot login

cesarista — Mon, 07 Aug 2017 10:03:10 GMT

Yes, as Axel mentioned, log4j is your friend. Maybe this logger also helps:

log4j.logger.org.alfresco.repo.security.authentication.ldap=DEBUG

But, is this for an OpenLDAP or for an Active Directory ?

Regards.

--C.

P.S: By the way, you can set ldap.authentication.allowGuestLogin=false

Re: Some LDAP Users cannot login

t_schoeberl — Mon, 07 Aug 2017 10:10:56 GMT

Yes like you mentioned, I didn't want to set the loglevel to debug, because the output is quite a lot. Thanks, i will try the OOTBee Support Tools addon.

‌

Its for an Active Directory.

Regards.

Re: Some LDAP Users cannot login

t_schoeberl — Tue, 08 Aug 2017 06:52:30 GMT

So i installed the OOTBee Support Tools and set the LogLevel to DEBUG. If a user log in to Alfresco I see a DEBUG output in the Logfile. But unfortunately if a user who is locked try to log in, I see nothing in the logfile and he cannot log in. We think that the user is locked in AD and after 30 minutes he is unlocked but Alfresco don't recognize this and don't authenticate aigainst AD. Is the user locked somewhere in Alfresco intern? Do you have any idea?

Thanks and regards.

Re: Some LDAP Users cannot login

cesarista — Tue, 08 Aug 2017 07:17:10 GMT

Hi Tanja:

I'm asking because there exists two different OOTB subsystems for Alfresco: ldap (for OpenLDAP) and ldap-ad (for Active Directory using LDAP protocol).

community-edition-old/ldap-ad-authentication.properties at master · Alfresco/community-edition-old · GitHub

But is usual to see "sAMAccountName" as userIdAttributteName or ldap-ad in authentication chain, or

Regards.

--C.

Re: Some LDAP Users cannot login

cesarista — Tue, 08 Aug 2017 07:28:45 GMT

Hi,

Alfresco ldap (or ldap-ad) subsystem delegates authentication in AD, and so, no passwords are saved in Alfresco database. If you are right, Alfresco seems to do what it was made for. But if you are right, other aplications will be suitable of login issues during AD locks. And this would be generated by some application on your organization (Alfresco or another application) doing continuous wrong auth requests in AD, resulting in the corresponding temp locks.

Regards.

--C.

Re: Some LDAP Users cannot login

t_schoeberl — Tue, 08 Aug 2017 07:42:34 GMT

To be more precise i will try to give you a detailed information of what we do:

situation 1:
- user account in ad is not locked -> user is able to login to alfresco (which is ok)

situation 2:
- user tries to access a rest url, e.g. /alfresco/service/, user is prompted for username/password. if the user enters the wrong username/password for five times then the account is locked in ad
- user tries to login to alfresco -> user is not able to login, as the account ist locked in ad (as expected, the user is also unable to login through other applications that are chained to ad)
- account is unlocked in ad
- user tries to login to alfresco -> user ist not able to login (at the same time the user is able to login again through other applications that are chained to ad)

So we believe, that the status of a user account is somewhere cached in alfresco, which prevents alfresco to do a authentication query towards ad where the user would already be unlocked.

Re: Some LDAP Users cannot login

cesarista — Tue, 08 Aug 2017 09:33:13 GMT

Hi:

Maybe it is related with this feature in Alfresco 5.2:

https://community.alfresco.com/docs/DOC-6301-alfresco-community-edition-52#jive_content_id_Slowdown_of_Brute_Force_Attac…

Diving into repository.properties I see (you may check and confirm them also in System Information page in OOTB addon).

https://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/root/projects/repository/config/alfresco/repository.pr…

# Brute force protection
authentication.protection.enabled=true
authentication.protection.limit=10
authentication.protection.periodSeconds=6

Regards.

--C.

Re: Some LDAP Users cannot login

robsoncardoso_t — Thu, 10 Aug 2017 11:07:21 GMT

I have the same problem. And it started to happen only after using version 5.2.
The problem is that some users have problems authenticating to AD, I realized that this usually happens after the user changes the AD password and especially when the user generates a password with special characters.
I tried to identify if it could be the brute force attack feature but I did not find a relationship.

Re: Some LDAP Users cannot login

t_schoeberl — Thu, 10 Aug 2017 11:32:39 GMT

Solution:

In alfresco-global.properties

authentication.protection.enabled=false

So now the user can log in after unlocking in ad.

But so we think that the mitigating brute force attack on user passwords in Alfresco does not work correctly.

Mitigating brute force attack on user passwords | Alfresco Documentation

Thanks and regards!

Re: Some LDAP Users cannot login

robsoncardoso_t — Thu, 10 Aug 2017 11:52:25 GMT

The protection mechanism should be better described. For that I understand only the user should be blocked after 10 unsuccessful login attempts (authentication.protection.limit = 10), but there are no reports of non-authenticating users attempting to log in with the wrong password several times.

Re: Some LDAP Users cannot login

cesarista — Thu, 10 Aug 2017 12:49:56 GMT

Hi:

I think this is not for using audit tools like hydra in an evil way. But I think it may be problematic for the final user, when Alfresco is configured with a complex authentication chain with several user directory origins, and the user is failing several times the real password because he/she needs more coffee...

Regards.

--C.

Re: Some LDAP Users cannot login

ainsof — Mon, 22 Oct 2018 22:15:45 GMT

I have a similar problem and I think it has something to do with ldap-ad. When a user enters an incorrect password, their account gets locked on AD. When they are unlocked on AD, they are still locked on alfresco. The

authentication.protection.periodSeconds=6

settings seems to have no effect, as the account is locked until the alfresco service is restarted.

The solution of :

authentication.protection.enabled=false

works for me too